Phishing has become a prevalent method to fraudulently gain money or information.
To shore up its defenses against phishing attacks, Orange County’s Credit Union puts employees in real-world scenarios and circles back with performance data.
Hackers want two things: Money and personal information. The fact credit unions have access to both makes them a target for bad actors, and one way fraudsters get what they want is through phishing.
Phishing is the practice of sending fraudulent emails to trick an individual into revealing valuable information — including passwords, credit card numbers, and more. Phishing has been around for a decade or more, says Kevin Hill, the information security expert for Orange County’s Credit Union ($2.1B, Santa Ana, CA), yet it has become more prevalent in recent years as more sophisticated cybersecurity has made other forms of hacking more difficult.
CU QUICK FACTS
Orange County’s Credit Union
HQ: Santa Ana, CA
Data as of 09.30.20
12-MO SHARE GROWTH: 21.6%
12-MO LOAN GROWTH: 3.8%
“Most organizations have the right security controls in place to make actions like trying to get through the firewall obsolete,” Hill says. “Phishing is more focused on the human element. They are trying to gather information by tricking a person rather than a system.”
Hill’s work has helped Orange County’s achieve a phishing failure rate that is 2% lower than the industry average. In this Q&A, he discusses the steps the credit union is taking to combat phishing emails, how to train associates, what measures credit unions should consider adopting, and more.
Why do people fall prey to phishing schemes?
Kevin Hill: It has to do with the formatting. The best phishing emails look like real emails coming from real organizations, like Amazon or UPS. The hackers just change the links within the email to their own malicious websites. These bad actors also tend to create urgency, telling people to click on something now. If they don’t think about it, people can click a link before they fully review it.
I would say credit union employees fall prey to these schemes less than other industries because we have better controls in place — better technology and better training.
What systems do you have in place at Orange County’s to help employees before they make a mistake?
KH: Security has always been top-of-mind, but we put a system in place a few years ago that gives us more awareness of phishing metrics. We can see what our employees are doing and provide training to make them more effective. For us, testing is critical, and we do a lot of it.
We send phishing emails to our associates on a weekly basis that look exactly like phishing emails. In fact, they’re real-world examples. We regularly test with the difficulty setting cranked all the way up, which allows our team to see what’s out there in the world and to know what to expect when one comes across their inbox.
In addition, our associates report phishing emails. If they suspect an email is phishing, they can click a button through their Outlook that will report the email to our security team. We check to see if it’s a real phishing email and report back to the target. That offers a bit more hands-on training.
We also tie some of our phishing testing to associate performance, which makes them feel more responsible for our security performance and show them what they’re learning.
Do these phishing tests hit every employee? From CEO to teller?
KH: Absolutely. We test everyone, from top to bottom. We even test associates that might have a slightly higher risk profile more frequently.
Do you change these tests and improve them to challenge your associates?
KH: We’re trying to keep our associates vigilant. I’ve seen programs from other companies that test less frequently and send the same email to the same employee. That tends to be ineffective because people figure out patterns. They know what week of the month it is, and they’ll look for it then and drop their guard the rest of the time. We want our employees constantly looking for those emails. If it’s something they’re consistently seeing, they’re going to know it when it’s real.
What are some of the best elements of an effective phishing email?
KH: Urgency, of course. But, also, when the emails come from a company they know and trust. Delivery couriers like UPS, FedEx, and Amazon are good, but so are those that use Microsoft Services, like Office 365. People are programmed to pay attention to those.
There have been more and more COVID-19-related phishing attacks that target the urgency of the situation. One of the most effective tools you have is to ensure your employees slow down when they see something fishy.
You mentioned employees report phishing attacks through Outlook. How does that work?
KH: Many phishing testing systems include an email provider plugin to report phishing emails. When someone clicks it, whether it’s a test from us or a real phishing email, it gets recorded in our testing system and sent to our team for analysis. From that analysis, we can detect the likelihood of a spear phishing campaign. If our organization is being targeted, and our employees report it, we can block the links that are in the phishing emails and other emails coming from that source. That initial reporting allows us to shore up spear phishing campaign issues.
So, associates are the first line of defense?
KH: Actually, no. There are other layers of filtering before a phishing email gets to an associate. I can’t get into too much detail without giving away our secret sauce. In our layered approach to protecting against a spear phishing attack, our associates are probably in one of the middle layers.
We encourage associates to report emails because it’s not just up to the security team. Associates are part of the security team, too.
What gets tracked when an employee clicks on the report functionality in their email?
KH: We can see whether an associate actually reported a given email. We use that information in performance reviews — but only in a constructive way. We want our teams to be vigilant, and we know who is and who could be better.
We track who opens what, reports what, and how many emails per day are reported as phishing. We go beyond the associate, too, to see the total number of potential phishing emails we receive and how many are automatically filtered out.
How would you like to see the needle move internally in terms of vigilance?
KH: We’ve always had strong numbers. When it comes to failure rate, we’re 2% below the industry average. We track how often employees report phishing emails and those numbers continue to go up. A lot of that has to do with promoting our security program throughout the organization. We encourage associates to report emails because it’s not just up to the security team. Associates are part of the security team, too.
Is it a challenge for employees to think this way?
KH: It hasn’t been a challenge for us. Our associates have a high level of responsibility, which relates back to our hiring practices. Part of it, too, is the credit union mentality. Our associates feel responsible for our members, the member experience, and their money and personal information.
Are there other cybersecurity measures you’re taking to fight off bad actors?
KH: We take a layered approach. Certainly, we have antivirus and anti-malware systems that stop bad actors, but we also take it down to behavior-based monitoring.
Are there lessons for other credit unions you can draw from your phishing testing?
KH: Test often, and use real-world examples. Don’t underestimate the associates, either. Crank up the difficulty. I’ve been pleasantly surprised to see how associates respond to more difficult tests.
Then, I would say accountability is key. Without it, the program isn’t nearly as effective.
This interview has been edited and condensed.
Want more credit union strategies? Sign up for the CreditUnions.com free newsletter.